CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23240 – tls: Fix race condition in tls_sw_cancel_work_tx()
https://notcve.org/view.php?id=CVE-2026-23240
10 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_... • https://git.kernel.org/stable/c/f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23239 – espintcp: Fix race condition in espintcp_close()
https://notcve.org/view.php?id=CVE-2026-23239
10 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espint... • https://git.kernel.org/stable/c/e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-14027 – xattr: switch to CLASS(fd)
https://notcve.org/view.php?id=CVE-2024-14027
09 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument. In multi-threaded processes where fdget() takes the slow path, this permanently leaks one file reference per call, pinning the struct file and associated kernel objects in memory. An unprivileged local user... • https://git.kernel.org/stable/c/c3a5e3e872f3688ae0dc57bb78ca633921d96a91 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23238 – romfs: check sb_set_blocksize() return value
https://notcve.org/view.php?id=CVE-2026-23238
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=40... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23237 – platform/x86: classmate-laptop: Add missing NULL pointer checks
https://notcve.org/view.php?id=CVE-2026-23237
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs at... • https://git.kernel.org/stable/c/529aa8cb0a59367d08883f818e8c47028e819d0d •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23236 – fbdev: smscufx: properly copy ioctl memory to kernelspace
https://notcve.org/view.php?id=CVE-2026-23236
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel. • https://git.kernel.org/stable/c/3c8a63e22a0802fd56380f6ab305b419f18eb6f5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23235 – f2fs: fix out-of-bounds access in sysfs attribute read/write
https://notcve.org/view.php?id=CVE-2026-23235
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/carve_out 65537 vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold 1 carve_out maps to {struct f2fs_sb_info... • https://git.kernel.org/stable/c/b59d0bae6ca30c496f298881616258f9cde0d9c6 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23234 – f2fs: fix to avoid UAF in f2fs_write_end_io()
https://notcve.org/view.php?id=CVE-2026-23234
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS... • https://git.kernel.org/stable/c/e234088758fca3a669ebb1a02d8bf7bf60f0e4ff •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23233 – f2fs: fix to avoid mapping wrong physical block for swapfile
https://notcve.org/view.php?id=CVE-2026-23233
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical block for swapfile Xiaolong Guo reported a f2fs bug in bugzilla [1] [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 Quoted: "When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, the system experiences data corruption leading to either: 1 dm-verity corruption errors and device reboot 2 F2FS node corruption errors and boot hangs The issue occurs specifically when: 1 Usin... • https://git.kernel.org/stable/c/40d76c393cca83938b11eb7ca8983aa3cd0ed69b •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23232 – Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()"
https://notcve.org/view.php?id=CVE-2026-23232
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()" This reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a. Original patch may cause below deadlock, revert it. write remount - write_begin - lock_page --- lock A - prepare_write_begin - f2fs_map_lock - f2fs_enable_checkpoint - down_write(cp_enable_rwsem) --- lock B - sync_inode_sb - writepages - lock_page --- lock A - down_read(cp_enable_rwsem) --- lock A • https://git.kernel.org/stable/c/196c81fdd438f7ac429d5639090a9816abb9760a •